.. for SSL_set_options() call.
Allowing parsedOptions to be private within PeerOptions
which is needed to safely delay its value being set until
after squid.conf line is fully parsed.
#if USE_OPENSSL
SSL_CTX_set_options(ctx.get(), parsedOptions);
#elif USE_GNUTLS
- // NP: GnuTLS uses 'priorities' which are set per-session instead.
+ // NP: GnuTLS uses 'priorities' which are set only per-session instead.
#endif
}
Security::PeerOptions::updateSessionOptions(Security::SessionPointer &s)
{
#if USE_OPENSSL
- // 'options=' value being set to session is a GnuTLS specific thing.
+ // XXX: Options already set before (via the context) are not cleared!
+ SSL_set_options(s.get(), parsedOptions);
+
#elif USE_GNUTLS
int x;
SBuf errMsg;
SBuf tlsMinVersion; ///< version label for minimum TLS version to permit
+private:
Security::ParsedOptions parsedOptions; ///< parsed value of sslOptions
+public:
long parsedFlags = 0; ///< parsed value of sslFlags
std::list<Security::KeyData> certs; ///< details from the cert= and file= config parameters
srvBio->mode(csd->sslBumpMode);
} else {
// Set client SSL options
- SSL_set_options(serverSession.get(), ::Security::ProxyOutgoingConfig.parsedOptions);
+ ::Security::ProxyOutgoingConfig.updateSessionOptions(serverSession);
const bool redirected = request->flags.redirected && ::Config.onoff.redir_rewrites_host;
const char *sniServer = (!hostName || redirected) ?